The ransomware ecosystem is always changing. The tools of the trade are under constant development, the ransomware operators move from one group to another, and ransomware groups will go dark and rebrand in response to law enforcement, sanctions, or internal politics. Today, we are looking at Royal ransomware, which may be best known as the group that attacked the city of Dallas in May 2023.

Who and what is Royal ransomware?

Royal Ransomware (Royal, Royal Hacking Group) is a relatively new threat group that has made some big money off the backs of healthcare organizations, private companies, and local governments. Royal was initially operating as Zeon when it was discovered in 2022 but rebranded to Royal in September of that year. The Health Sector Cybersecurity Coordination Center (HC3) published an analyst note describing Royal as a threat to the Healthcare and Public Health (HPH) Sector in December. In March 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an extensive joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware detailing the threats posed by this group.

There were early indications that the operators of Royal Ransomware are experienced threat actors who split from Conti and other ransomware groups. Early attacks focused on healthcare organizations in the United States but soon expanded to other sectors and international targets. Ransom demands range from $250,000 to over $2 million USD. From September 2022 through November 2023, Royal had targeted over 350 known victims worldwide and the ransoms demanded of these victims exceeded $275 million.

Notable attacks

The most widely recognized attack of Royal may be the city of Dallas, Texas, which fell victim to the group in May 2023. The city published an extensive after-action report that identifies the attackers as the Royal Hacking Group and details the group’s activities in city systems. The report also includes details on the costs of direct mitigation, which was $8.5 million at the time of the report. The hours dedicated to comprehensive mitigation were reported as 39,590 at the time of the report.

Silverstone Formula One (Silverstone, Silverstone Circuit) was successfully attacked by Royal in late 2022. Silverstone discovered this when Royal published this announcement on their leak site:

Characteristics and intrusion methods

Partial Encryption: Royal ransomware uses a unique approach where it can choose a specific percentage of data within a file to encrypt. This makes it very difficult, if not impossible, to decrypt files without the decryption key held by the attackers.

Double Extortion: Before encrypting the victim's data, Royal conducts data exfiltration and extortion, threatening to publish the data if their demands are not met.

Indicators of Compromise (IOCs): Some IOCs associated with Royal ransomware include the encrypted file extension `.royal`, ransom notes named `README.TXT`, and various malicious IP addresses.

The following list of intrusion methods is taken from the CISA advisory on Royal:

Phishing: Phishing emails are a primary vector for Royal's initial access, with a significant 66% of their initial access achieved through this method. They use both standard and callback phishing to lure victims.
Remote Desktop Protocol (RDP): RDP compromise has been the initial access point in roughly 13.3% of incidents. This is the second most effective attack type for Royal.
Public-facing applications: The FBI has also observed Royal threat actors gain initial access through exploiting public-facing applications.
Brokers: Reports from trusted third-party sources indicate that Royal threat actors may leverage brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs.

Relationship to Other Threats

Conti: Royal operators appear to be former members of Conti ransomware, which is believed to have disbanded by May 2022.

BlackSuit: BlackSuit ransomware is said to be "a direct successor to the notorious Russian-linked Conti operation.” Researchers have observed Royal using the BlackSuit encryptor, and there are suspicions that Royal will rebrand as BlackSuit or another group. Some researchers believe that BlackSuit is an experiment of Royal and may ultimately be employed by Royal through a subgroup with specific targets. As of this writing, Royal and BlackSuit are active threats.

Storm-0569 (formerly Dev-0569): This threat group is a key player as both a developer and distributor of Royal ransomware. They are known for innovative deployment techniques, such as a Google Ads malvertising campaign.
Conclusion

Royal is a product of a maturing ransomware industry. As the ransomware actors get more experience, they move on to new opportunities and they take their knowledge with them. Groups may dissolve or fracture, but the threat doesn’t go away. Some individual operators are arrested, but the ones who remain form new groups and they are effective threat actors on the first day.

There are so many ways for ransomware to get into your systems. The best way to think of ransomware defense is to think in terms of threat vectors. You’ll never be fully secure if you look only at specific entry points like those listed above. Leverage advanced threat intelligence with incident response capabilities to protect all your attack surfaces. Barracuda offers a cybersecurity platform with advanced capabilities to secure your email, networks, applications, and data